"Hindsight is 20/20" is an old cliché that laments the clarity of retrospection and the regret that often accompanies having overlooked (or ignored) the now-obvious ingredient that contributed to an unfortunate event. Often the sentiment is one that implies that preventing the mishap was within the speaker's power but for the making of an ill-informed decision. Implied is the wish that things would be different "if I could do it again…"
Today, organizations all over the world are looking ahead to May 25, 2018, the date that Europe's General Data Protection Regulation (GDPR) takes effect, and are trying to put in place the means to avoid having to utter those words. They are reading the law, huddling with consultants, and checking with their legal and technical teams so that when May 24 dawns they can go to bed confident they've done all they can do.
But there's evidence that the time and money being spent today may not be going to the right places, and that many companies, despite earnest efforts to prepare in advance, will fall short of GDPR compliance.
The BBC reports that a recent survey of board members of 105 companies listed on the FTSE350, the largest 350 British companies on the London Stock Exchange, reveals that one in 10 lacks any plans for dealing with a cyberattack, and that more than two-thirds are untrained for such an event, despite the fact that more than half acknowledge that a cyberattack is a primary threat to their organization.
Read that again. The survey didn't find that one in 10 organizations believes it is unprepared for an attack or lacks confidence in its preparedness. One in 10 companies lacks any plan for dealing with a cyberattack. In the first weeks of 2018, it is unfathomable to consider that 10% of large, global corporations have no plan for dealing with the inevitability of an attack on their networks and an attempt to access data.
What reasoning could there possibly be for dereliction of duty of this kind? With no specific knowledge or insight, I can only speculate. But it's human nature to make no decision when overwhelmed with an abundance of information. Clearly, even in the age of big data analytics, there are successful businesses and business leaders who find themselves in that situation. They will be in for a rude awakening if, after GDPR takes effect, they experience a data breach and — with no plan on file to prove a good-faith effort at prevention — suffer a steep reputational and financial blow.
Whatever the reason — paralysis of where to start/how to face an invisible threat, misguided "can't happen to me" delusion, or just compacted at the bottom of a list of more pressing business critical functions — ignoring the very real possibility of coming under the hammer of the European Commission and writing a check equal to 4% of gross global revenue cannot be taken lightly.
There is another cliché appropriate to this situation: forewarned is forearmed. However, with repeated and massive alarms raised and extensive discussion of the issues, forearmed has at this point eclipsed forewarned as an imperative. With so many companies seemingly following horror movie tropes of running toward a threat or simply not evaluating the situation with anything resembling common sense, there are three areas that, if given focus and careful consideration, can not only serve to prevent an organization from falling under the non-compliance blade but can improve overall security posture against any compromise or loss:
- Communication. Start by ensuring that both business and IT are working toward a common goal of safe and frictionless operations with a clear understanding of how to document the roles of stakeholders in advance of material compromise. This includes discussions, role definition, and process development for executive, legal, communications, security, HR, and even the corporate board.
- Connect the dots. This will involve mapping the business environment and assessing risk, from infrastructure to the critical assets most likely to be targeted and understanding all the ways in which exposure can occur.
- Continuous evaluation. Once both the risk has been measured and the roles have been defined, it's necessary to validate the process and plans — repeatedly. From technologies that can test and simulate attacks, to tabletop exercises that play out response plans/responsibilities, to engagement with services firms to root out vulnerability, it's important to discover both the points of exposure and the impact of change to keep organizations from security atrophy and continuously in compliance.